Friday, January 13, 2006
Talking to Auditors
13:20 |
Posted by
Sean McCown |
Edit Post
About a month ago, we finished our last round of audits and I wanted to share a little bit with you about how to talk to auditors, or better yet, how not to talk to them.
Here's a fine example of how you should not talk to an auditor.
One of our guys, I'm sorry to say a DBA, walked into a room where the bosses were holding a meeting and announced that none of our backups across the board were working, and had been failing for a couple days. We're completely unprotected!!
Of course, you guessed it, they were meeting with the auditor from D&T. In his defense, he said he had no idea that was an auditor and he never would have said that if he did. OK guys, let's put this rule on the table right now. Don't go announcing things like that at all. If there's someone in the room you don't recognize, keep your mouth shut, send an email, pull them out of the room, whatever, but don't just announce that you're shop is falling apart.
Most companies will tell you when the auditors are going to be there, and will tell you to refrain from discussing sensitive business outside of your immediate area. This is an excellent tactic, and we do that too, so why this incident happened, I'll never know.
So how should you talk to an auditor then? There are 2 areas you need to worry about.
The first is before and after the interview. Auditors like to come up to your desk or pin you in the hall and ask you questions about your environment. That's fine for them, but you need to get with your managers and decide how you're going to handle this situation... remember, anything you say can and will be used against you in a court of audit. What we do is we refer all questions back to our boss. If an auditor asks me a question outside of the interview, I say, send your question to my boss. He then asks me the question, and I in turn send it back to him. This way, the auditor can't trip you up on the spot, and you won't accidentally say something you'll regret. And it gets to go through the filter of someone else. Even if you know the answer, Don't say anything. Make them go through channels. Now you may not choose to do it this way in your shop, but it's worked very well for quite a few places I've been in.
Second is during the actual interview. Auditors will quite often call you in to ask specific questions. Quite often, you have someone else in your dept sitting in with you to make sure everything goes well... just kind of a witness. When the auditor asks you questions here, you may answer them, but use as few words as possible. Never say 20 words when a yes will do. Treat this just like testifying in court. Answer the question asked, no more, no less. It's tempting sometimes to want to explain yourself or your reasoning for why something's done, but it's not relevant here. In the case from above, I would only hope the the DBA wouldn't answer like this:
Q: Do you backup the DBs every night?
A: Yes... but we quite often go several without our backups working, and we never test restores, and it doesn't matter anyway, because the drive we keep them on is old and slow and will probably die any day now, and since they're not pushed to tape we'd be in real trouble if that happened.
The clear answer is simply yes. Then SHUT UP!!!
Also, don't let them rope you into answering questions that are outside your area. Anything not having to do strictly with DBs is none of your concern. Some sample questions are...
Q: How many users inside Solomon have elevated rights to create accounts?
A: I'm not responsible for Solomon. The Solomon admin would have to field that question.
Q: What method do users use to authenticate to your intranet?
A: You'll have to ask that question to the intranet admin.
Q: How many users have db_owner in the ADP database?
A: At this point I could only guess, but send me that question in email and I'll get you an anwser.
Notice that last question was in your range and it still didn't get answered? Auditors will write down whatever you tell them on the spot, and move on. Don't guess at anything. If you're not sure of an answer, say so, and ask them to submit it in email and you'll verify the answer and send it to them. This is crucial because you won't get a 2nd chance to answer that once they've written something down. You've got a few dozen servers to look after, and nobody expects you to have all the answers off the top of your head.
Ok, that's all I've got... happy auditing!!
Here's a fine example of how you should not talk to an auditor.
One of our guys, I'm sorry to say a DBA, walked into a room where the bosses were holding a meeting and announced that none of our backups across the board were working, and had been failing for a couple days. We're completely unprotected!!
Of course, you guessed it, they were meeting with the auditor from D&T. In his defense, he said he had no idea that was an auditor and he never would have said that if he did. OK guys, let's put this rule on the table right now. Don't go announcing things like that at all. If there's someone in the room you don't recognize, keep your mouth shut, send an email, pull them out of the room, whatever, but don't just announce that you're shop is falling apart.
Most companies will tell you when the auditors are going to be there, and will tell you to refrain from discussing sensitive business outside of your immediate area. This is an excellent tactic, and we do that too, so why this incident happened, I'll never know.
So how should you talk to an auditor then? There are 2 areas you need to worry about.
The first is before and after the interview. Auditors like to come up to your desk or pin you in the hall and ask you questions about your environment. That's fine for them, but you need to get with your managers and decide how you're going to handle this situation... remember, anything you say can and will be used against you in a court of audit. What we do is we refer all questions back to our boss. If an auditor asks me a question outside of the interview, I say, send your question to my boss. He then asks me the question, and I in turn send it back to him. This way, the auditor can't trip you up on the spot, and you won't accidentally say something you'll regret. And it gets to go through the filter of someone else. Even if you know the answer, Don't say anything. Make them go through channels. Now you may not choose to do it this way in your shop, but it's worked very well for quite a few places I've been in.
Second is during the actual interview. Auditors will quite often call you in to ask specific questions. Quite often, you have someone else in your dept sitting in with you to make sure everything goes well... just kind of a witness. When the auditor asks you questions here, you may answer them, but use as few words as possible. Never say 20 words when a yes will do. Treat this just like testifying in court. Answer the question asked, no more, no less. It's tempting sometimes to want to explain yourself or your reasoning for why something's done, but it's not relevant here. In the case from above, I would only hope the the DBA wouldn't answer like this:
Q: Do you backup the DBs every night?
A: Yes... but we quite often go several without our backups working, and we never test restores, and it doesn't matter anyway, because the drive we keep them on is old and slow and will probably die any day now, and since they're not pushed to tape we'd be in real trouble if that happened.
The clear answer is simply yes. Then SHUT UP!!!
Also, don't let them rope you into answering questions that are outside your area. Anything not having to do strictly with DBs is none of your concern. Some sample questions are...
Q: How many users inside Solomon have elevated rights to create accounts?
A: I'm not responsible for Solomon. The Solomon admin would have to field that question.
Q: What method do users use to authenticate to your intranet?
A: You'll have to ask that question to the intranet admin.
Q: How many users have db_owner in the ADP database?
A: At this point I could only guess, but send me that question in email and I'll get you an anwser.
Notice that last question was in your range and it still didn't get answered? Auditors will write down whatever you tell them on the spot, and move on. Don't guess at anything. If you're not sure of an answer, say so, and ask them to submit it in email and you'll verify the answer and send it to them. This is crucial because you won't get a 2nd chance to answer that once they've written something down. You've got a few dozen servers to look after, and nobody expects you to have all the answers off the top of your head.
Ok, that's all I've got... happy auditing!!
Subscribe to:
Post Comments (Atom)
About Me
- Sean McCown
- I am a Contributing Editor for InfoWorld Magazine, and a frequent contributor to SQLServerCentral.com as well as SSWUG.org. I live with my wife and 3 kids, and have practiced and taught Kenpo for 22yrs now.
Labels
Blogumulus by Roy Tanck and Amanda Fazani
12 comments:
Good luck with your audit
mynewsbot.com
Hi
I completely disagree. I see the auditor as my primary ally in ensuring that systems are run to a high standard. Managers tend to look at the bottom line whereas I tend to look to my professional responisiblity; auditors ensure adherance to standards.
I have used auditors to mediate where I have felt that a managers cost cutting / this is how we do it here attitude / lack of knowledge / etc is putting a system at risk.
Karl
DBA
Answer but don't offer. Auditors, like HR are not your friends, allies, or partners. I like feeding my family and that tends to not get done if I get fired for being stupid around auditors.
If the company is doing something stupid with the systems it is the responsibility of management to address that with the auditors.
Having personally delt with district, and federal court situations, I agree with the person whom said the auditors are NOT your friends, allies or partners. They, like anyone else, have a specific job to do, and they do it. Auditors, I've worked with, are quick to inform me that they have a responsibility to the parties they report to. So, I keep uptodate records, files and backups, to validate and prove my information is correct. This has proven that I am "clean" of any wrong doing, as well as always reporting to manangment, in advance, any situation where there is a conflict. For, nearly, 20 years now....every audit has gone smooth, and flawless.
you will talk in way what your boss will command you to talk
But in court you will tell all true nothing but true
--
I treat external auditors like I do any other external entity: before I answer a question about my infrastructure, you've got to show me you have a valid reason to have the information. "I'm an auditor" isn't enough. For instance, if you're in doing a SOX audit, I want to know how the information you're asking for is relevant to SOX. If I'm not clear on the whys, you need to send me an email (and CC my boss) explaining why you need that information.
Then, when you do justify it, I'm going to give you the information you need and nothing more. Why? Again because you are an external entity. I don't know fully the extent to which you'll use the information I give you, so I'll err on the side of caution and give you exactly what you ask for (which you've proven you need) and no more.
External vs Internal is a key concern. External auditors are there for strictly compliance reasons. You will typically find more of an audit cop mentality. Internal audit (if its a good group of people) will be highly consultative and have a goal of helping you improve your processes rather than enjoy playing Columbo.
To be honest, the original poster would make any good auditor wonder what he was hiding based on his evasive and uptight nature. If you have nothing to hide, you will be realaxed and cooperative. Auditors are trained to pick up on body language cues.
[url=http://welcome-casino.aoaoaxxx.ru][img]http://s55.radikal.ru/i147/0912/3d/62ecfa4cfb24.jpg[/img][/url]
[IMG]http://s44.radikal.ru/i105/0912/3d/c3f5c104cbf9.jpg[/IMG]
[url=http://welcome-casino.aoaoaxxx.ru][img]http://i067.radikal.ru/0912/aa/ce3b42c93597.jpg[/img][/url]
[u][b]We can be found by these keywords:[/b][/u]
[url=http://welcome-casino.aoaoaxxx.ru/sitemap.html]torneo poker casino madrid [/url]
[url=http://vegasonlines.net/gila-river-casino.html]casino rio vegas [/url]
[url=http://vegasonlines.net/casino-cash.html]download casino game [/url]
[url=http://vegasonlines.net/online-casino-cash.html]restaurante casino de madrid [/url]
[url=http://vegasonlines.net/argosy-casino-kansas-city.html]vegas casino coupons [/url]
[url=http://vegasonlines.net/wendover-casino.html]venetian casino [/url]
[url=http://vegasonlines.net/juegos-online-casino.html]online casino slot [/url]
[url=http://vegasonlines.net/las-vegas-casino-deals.html]sistema seguro ganar casino ruleta [/url]
[url=http://vegasonlines.net/casino-figueira.html]casino casino online [/url]
[url=http://vegasonlines.net/florida-casino.html]loteria casino pcia bs as [/url]
[url=http://vegasonlines.net/seneca-casino-new-york.html]grabar pelicula casino royale [/url]
[url=http://vegasonlines.net/clay-casino.html]casino royale [/url]
[url=http://vegasonlines.net/gambling-casino-online-bonus.html]casino sobrenatural [/url]
[url=http://vegasonlines.net/betting-casino-gambling-online.html]venta tragaperras casino [/url]
[url=http://vegasonlines.net/imperial-palace-casino-biloxi.html]casino mirage sac [/url]
[url=http://vegasonlines.net/cara-ford-yonkers-casino.html]internet casino promotion [/url]
concentracion tuning casinos 2006
[b]best online casino review[/b]
casino guide http toprankedcasinos info
portofino casino
[b]sand casino atlantic city[/b]
casino de tigre
[u]best no download online casino[/u]
grand casino biloxi mississippi
casino juego
[b]lakeside barona valley ranch resort casino[/b]
casino castilla y leon
casino card games
[url=http://seghan.ru/go.php?sid=35][img]http://i066.radikal.ru/1001/38/f22daff34e6d.jpg[/img][/url]
[url=http://cauvzah.weinend.de/sitemap.html]buy 305 cigarettes online [/url]
ny mail order cigarettes cigarette buy one get one buying cigarettes online taxes
[url=http://vjzvmeu.il.gp/]buy wholesale e cigarettes [/url]
buy glamour cigarettes buy tax free cigarettes buy cigarettes wholesale europe
[url=http://vonzura.misslich.de/]where can i buy nicortte cigarettes [/url]
buy cigarettes new buy best prices marlboro cigarettes buy cigarettes in amsterdam
[url=http://tyouhca.xn--geglckt-q2a.de/sitemap.html]buy cigarettes from switzerland [/url]
cigarette discount mail order buy black market cigarettes order cigarettes uk
[url=http://tioozua.connection24.de/]cheap cigarettes to buy [/url]
buy smoking cigarettes buy cigarettes inexpensive cheap make money age to buy cigarettes in ohio
[url=http://cauvzah.weinend.de/]buying flavored cigarettes from another country [/url]
buy cheap lucky strike cigarettes online legal to buy cigarettes online buy cigarette tobacco online
[url=http://cauvzah.weinend.de/sitemap.html]buy cheap cigarettes in [/url]
dad buys my cigarettes buy discount cigarettes online age to buy cigarettes in us
[url=http://cauvzah.weinend.de/]buy panda cigarettes [/url]
where to buy cigarette rolling machine to buy camel cigarettes where to buy the cheapest cigarettes
[url=http://powjxun.wieder-mal.de/]buy belmont cigarettes online [/url]
buy cheap cigarettes discount smokes online buying wholesale cigarettes cigarette ordering
[url=http://cauvzah.weinend.de/]buy american spirit organic light cigarettes [/url]
buy epique cigarettes will smokers buy price value cigarettes american spirit cigarettes order
[u][b]Xrumer[/b][/u]
[b]Xrumer SEO Professionals
As Xrumer experts, we secure been using [url=http://www.xrumer-seo.com]Xrumer[/url] quest of a sustained immediately for the time being and recollect how to harness the enormous power of Xrumer and go off it into a Cash machine.
We also yield the cheapest prices on the market. Numberless competitors will charge 2x or square 3x and a end of the continuously 5x what we debt you. But we feel in providing enormous service at a small affordable rate. The entire direct attention to of purchasing Xrumer blasts is because it is a cheaper substitute to buying Xrumer. So we aim to support that contemplating in rebuke and provide you with the cheapest censure possible.
Not just do we have the greatest prices but our turnaround in the good old days b simultaneously payment your Xrumer posting is wonderful fast. We compel secure your posting done before you discern it.
We also provide you with a roundish log of successful posts on manifold forums. So that you can get the idea also in behalf of yourself the power of Xrumer and how we get harnessed it to benefit your site.[/b]
[b]Search Engine Optimization
Using Xrumer you can wish to distinguish thousands upon thousands of backlinks exchange for your site. Many of the forums that your Install you will be posted on oblige exalted PageRank. Having your tie-in on these sites can really expropriate strengthen up some cover quality recoil from links and really as well your Alexa Rating and Google PageRank rating owing to the roof.
This is making your site more and more popular. And with this increase in celebrity as superbly as PageRank you can expect to lead your area absolutely filthy gamy in those Search Mechanism Results.
Transport
The amount of conveyance that can be obtained by harnessing the power of Xrumer is enormous. You are publishing your plat to tens of thousands of forums. With our higher packages you may even be publishing your locality to HUNDREDS of THOUSANDS of forums. Ponder 1 collection on a all the rage forum drive by cotton on to a leave 1000 or so views, with announce ' 100 of those people visiting your site. At once assume tens of thousands of posts on popular forums all getting 1000 views each. Your see trade will go sometimes non-standard due to the roof.
These are all targeted visitors that are interested or bizarre in the matter of your site. Deem how innumerable sales or leads you can fulfil with this colossal gang of targeted visitors. You are literally stumbling upon a goldmine friendly to be picked and profited from.
Retain, Shipping is Money.
[/b]
TRAVERSE B RECOVER YOUR INFERIOR BURST TODAY:
http://www.xrumer-seo.com
Infatuation casinos? curb this advanced [url=http://www.realcazinoz.com]casino[/url] advisor and return come up with creditable online casino games like slots, blackjack, roulette, baccarat and more at www.realcazinoz.com .
you can also discover dated our untrained [url=http://freecasinogames2010.webs.com]casino[/url] orientate at http://freecasinogames2010.webs.com and be the source down factual tangled currency !
another many [url=http://www.ttittancasino.com]casino spiele[/url] make out is www.ttittancasino.com , in win scope loam german gamblers, come humanitarian online casino bonus.
Thanks mate... just dropped by. Will look for BIKE STN when we get to Seattle. Still in Buenos Airies.
Post a Comment